Cyber Risks in the Boardroom



Similar documents
The Legal Pitfalls of Failing to Develop Secure Cloud Services

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

Privacy Rights Clearing House

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

Cloud Computing: A Primer on Legal Issues, Including Privacy and Data Security Concerns. Privacy and Information Management Practice / Washington, DC

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Cyber-insurance: Understanding Your Risks

Logging In: Auditing Cybersecurity in an Unsecure World

Defining and Managing Reputation Risk

Mitigating and managing cyber risk: ten issues to consider

Brief. The BakerHostetler Data Security Incident Response Report 2015

Cybersecurity. Are you prepared?

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?

Data Security 101. Christopher M. Brubaker. A Lawyer s Guide to Ethical Issues in the Digital Age. cbrubaker@clarkhill.com

FINRA Publishes its 2015 Report on Cybersecurity Practices

Cybersecurity y Managing g the Risks

Cybersecurity: Protecting Your Business. March 11, 2015

Cybersecurity The role of Internal Audit

Cyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks?

Managing cyber risks with insurance

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Into the cybersecurity breach

PROPOSED INTERPRETIVE NOTICE

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS

Network Security & Privacy Landscape

2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage

CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison

Hong Kong Enacts a Statutory Disclosure Regime

Cybersecurity and Privacy Hot Topics 2015

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Cyber Risks and Insurance Solutions Malaysia, November 2013

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Data Breach Response Planning: Laying the Right Foundation

Procedure for Managing a Privacy Breach

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

Whistleblower Provisions

Why you should adopt the NIST Cybersecurity Framework

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP

DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS?

10 Smart Ideas for. Keeping Data Safe. From Hackers

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

October 24, Mitigating Legal and Business Risks of Cyber Breaches

Rogers Insurance Client Presentation

Privilege Gone Wild: The State of Privileged Account Management in 2015

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Best Practices in Incident Response. SF ISACA April 1 st Kieran Norton, Senior Manager Deloitte & Touch LLP

I ve been breached! Now what?

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

Law Firm Cyber Security & Compliance Risks

DATA SECURITY BREACH: THE NEW THIRD CERTAINTY OF LIFE

Understanding Professional Liability Insurance

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

Lessons from Defending Cyberspace

Transcription:

Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing Threat Environment June 12, 2015

Table of Contents 2 Overview 3 Governance 4 Assessing Your Company s Vulnerabilities and Risks 8 Mitigating Cybersecurity Risk 11 Response to Breach 1

Overview A recent survey of more than 9,700 executives found that: 42.8 million cybersecurity incidents were detected by the respondents during 2014, an increase of more than 48% over 2013 Globally, the average financial loss attributed to cybersecurity incidents during 2014 was $2.7 million, a 34% increase over 2013 The incurrence of financial losses of $20 million or more attributed to a single cybersecurity incident increased by 92% over 2013 Employees, through negligence, inadvertence and maliciousness, are the top cause of data breaches in the U.S. The most costly breaches, however, are malicious in nature Being prepared to handle a data breach properly may reduce the costs related to an incident significantly Expectations of shareholders, customers, regulators and law enforcement are evolving. Data breaches are becoming less surprising but companies will be held to a higher standard of preparedness and responsiveness Source: PricewaterhouseCoopers LLP: Managing cyber risks in an interconnected world. Key findings from The Global State of Information Security Survey 2015 2

Governance Cybersecurity is not solely the responsibility of the technologists; preparation and response require coordination across an organization Senior management and the board should understand the risks and be briefed regularly on cybersecurity measures Specific members of senior management should be assigned primary responsibility for monitoring cybersecurity risks and working with other company stakeholders to manage the interaction of cybersecurity controls and operational needs Depending on your company s internal capabilities, your company should consider retaining external advisers, including technical and legal advisers, to assist with its security assessment and preparedness and/or test the company s security preparations The board should exercise oversight of cybersecurity preparedness, including through appropriate committee review The board may consider it appropriate to meet with external advisors in the course of its oversight 3

Assessing Your Company s Vulnerabilities and Risks ASSESSMENT FRAMEWORK How should your company assess risk? Periodic self-assessment by an identified group of employees, overseen by an identified supervisor or committee of supervisors Client reviews and audits Governmental or regulatory reviews and audits Join a relevant information sharing and analysis center (ISAC) to share threat intelligence with other companies in your industry Use of external advisers Penetration/vulnerability testing continued on next page 4

Assessing Your Company s Vulnerabilities and Risks continued INFORMATION TO PROTECT Identify the kinds of sensitive information that your company holds Personal data of clients and employees (such as credit card data or financial or health-related information) Trade secrets Other commercially valuable or proprietary information Market-sensitive information, such as information on company results and/or potential transactions Other client information continued on next page 5

Assessing Your Company s Vulnerabilities and Risks continued SYSTEMS Assess the risks posed by your company s IT profile Cloud storage Mobile devices Distributed systems Third-party interconnection Physical security Consider the nature of the threats to which your company is exposed Theft of your company s information Theft of others information Malicious behavior and interference with business (e.g., ransomeware, denial of service attacks) Harassment, hactivism and public exposure continued on next page 6

Assessing Your Company s Vulnerabilities and Risks continued THREAT ENVIRONMENT Employees, whether through malice, negligence or inadvertence Vendors and others with system access Hackers and other cyber-intruders Lone wolves Ideological groups Organized Crime networks State-supported groups Physical intruders PROTECTION OBLIGATIONS Identify the obligations to which your company is subject regarding how information is to be protected Legal and regulatory (federal, state, international) Contractual Professional (e.g., lawyers ethical duties) 7

Mitigating Cybersecurity Risk SECURITY POLICY Your company should have a comprehensive security policy intended to address the threats it faces The policy must comply with all applicable legal, contractual and professional requirements The policy should be designed to meet one or more applicable standards; these may include the NIST Cybersecurity Framework, ISO, PCI, COBIT, and Sans Institute controls The policy should have both proactive and reactive components: Reducing the likelihood of breach, pre-breach measures to mitigate effects of a breach, breach response plan EMPLOYEES Your company should establish measures to manage and mitigate the risks employees create Screening and background checks at hiring Continued monitoring during employment Requirements that employees review and confirm that they understand and will comply with the company s security policy Ongoing training in security awareness and risk mitigation continued on next page 8

Mitigating Cybersecurity Risk continued TECHNICAL CONTROLS Your company should implement up-to-date technical controls to address cybersecurity risks Consistent with industry best practices and otherwise appropriate to address the specific threats the company faces Identify attempts to hack into the company s systems and attempts to access information that users are not authorized to see Identify unauthorized communications into and out of the company s network SECURITY CONSIDERATIONS Evaluation of security considerations relating to employees Passwords Use of personal devices and other non-firm devices Use of public networks Ability to write on transportable media Ability to download external programs onto the company s network or onto company devices Physical security of IT systems continued on next page 9

Mitigating Cybersecurity Risk continued CONTRACTORS AND VENDORS Address threats posed by contractors and vendors They must understand your company s security requirements and agree to comply with them Your company should review their cybersecurity vulnerabilities and their potential impact on your company Your company s contractual arrangements with contractors and vendors should provide for appropriate risk allocation/insurance, audit/review rights, and compliance with requirements to which the company is subject INSURANCE Assess your company s position regarding cybersecurity insurance Confirm that your policies cover losses from data breaches, as many general liability policies may not Consider specific cybersecurity coverage in addition to your general liability coverage Secure the correct amount of coverage 10

Response to Breach RESPONSE TEAM There should be a plan in place and known to all relevant personnel as to how to respond to a breach. This should be prepared in advance of a breach The plan should be reviewed and updated regularly to keep it current and ensure that relevant personnel are familiar with it Identify the company personnel who will be on the team to handle the incident response Should include representatives from Tech, Legal, HR, Communications, Compliance, Customer Relations, Senior Management Specific responsibilities and leadership should be assigned in advance Understand which communications may be privileged and therefore not subject to subsequent disclosure, and which will not be privileged Consider regularly holding breach-response exercises to test the plan and familiarize participants with its procedures, preferably both with and without prior notice COMMUNICATIONS STRATEGY Your company s goal should be to control external messaging, not react to it It may be preferable to volunteer disclosure before it is legally required Monitor media, including blogs and social media, for what others may be saying Have a strategy for dealing with leaks if news of the breach becomes public before your company is planning to make a statement continued on next page 11

Response to Breach continued NOTICE OBLIGATIONS Identify in advance all applicable notification requirements State notification laws for personal data Specific federal notification requirements (HIPAA, GLB) SEC and stock exchange requirements for public companies Legal obligations from jurisdictions outside the U.S. Contractual requirements Professional requirements, if applicable NOTICE RECIPIENTS Determine in advance who must be notified in the event of particular types of breach and who will be responsible for notifying them Law enforcement and DHS Regulators Customers and clients Contractual counterparties, vendors, contractors and other partners Public filings continued on next page 12

Response to Breach continued OUTSIDE SUPPORT Identify in advance outside advisers to assist with breach response and integrate them into response planning Technical advisers, including forensic consultants Legal advisers Public relations Government relations Credit monitoring services, if applicable Identify in advance any limits on your ability to provide information to authorities (e.g., privacy laws, contractual restrictions) and consider methods for addressing those limitations 13

www.sullcrom.com new york. washington, d.c.. los angeles. palo alto london. paris. frankfurt tokyo. hong kong. beijing. melbourne. sydney Copyright 2015 Sullivan & Cromwell LLP LG5614 Attorney Advertising. Prior results do not guarantee a similar outcome.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information